github.com/google/syzkaller@v0.0.0-20240517125934-c0f1611a36d6/sys/linux/security_smack.txt (about) 1 # Copyright 2018 syzkaller project authors. All rights reserved. 2 # Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file. 3 4 include <uapi/linux/fcntl.h> 5 include <security/smack/smack.h> 6 7 resource fd_smack_current[fd] 8 9 type smack_labelnoz stringnoz 10 11 smack_label { 12 label smack_labelnoz 13 z const[0, int8] 14 } [packed] 15 16 openat$smack_task_current(fd const[AT_FDCWD], file ptr[in, string["/proc/self/attr/current"]], flags const[O_RDWR], mode const[0]) fd_smack_current 17 openat$smack_thread_current(fd const[AT_FDCWD], file ptr[in, string["/proc/thread-self/attr/current"]], flags const[O_RDWR], mode const[0]) fd_smack_current 18 write$smack_current(fd fd_smack_current, data ptr[in, smack_label], len len[data]) 19 20 setxattr$smack_xattr_label(path ptr[in, filename], name ptr[in, string[smack_xattr_entry]], val ptr[in, smack_label], size len[val], flags flags[setxattr_flags]) 21 lsetxattr$smack_xattr_label(path ptr[in, filename], name ptr[in, string[smack_xattr_entry]], val ptr[in, smack_label], size len[val], flags flags[setxattr_flags]) 22 fsetxattr$smack_xattr_label(fd fd, name ptr[in, string[smack_xattr_entry]], val ptr[in, smack_label], size len[val], flags flags[setxattr_flags]) 23 24 smack_xattr_entry = "security.SMACK64", "security.SMACK64IPIN", "security.SMACK64IPOUT", "security.SMACK64EXEC", "security.SMACK64MMAP" 25 26 setxattr$security_smack_transmute(path ptr[in, filename], name ptr[in, string["security.SMACK64TRANSMUTE"]], val ptr[in, stringnoz["TRUE"]], size len[val], flags flags[setxattr_flags]) 27 lsetxattr$security_smack_transmute(path ptr[in, filename], name ptr[in, string["security.SMACK64TRANSMUTE"]], val ptr[in, stringnoz["TRUE"]], size len[val], flags flags[setxattr_flags]) 28 fsetxattr$security_smack_transmute(fd fd, name ptr[in, string["security.SMACK64TRANSMUTE"]], val ptr[in, stringnoz["TRUE"]], size len[val], flags flags[setxattr_flags]) 29 30 # -rwxatlbRWXATLB 31 perm = "", "-", "r", "w", "rw", "x", "rx", "wx", "rwx", "a", "ra", "wa", "rwa", "xa", "rxa", "wxa", "rwxa", "t", "rt", "wt", "rwt", "xt", "rxt", "wxt", "rwxt", "at", "rat", "wat", "rwat", "xat", "rxat", "wxat", "rwxat", "b", "rb", "wb", "rwb", "xb", "rxb", "wxb", "rwxb", "ab", "rab", "wab", "rwab", "xab", "rxab", "wxab", "rwxab", "tb", "rtb", "wtb", "rwtb", "xtb", "rxtb", "wxtb", "rwxtb", "atb", "ratb", "watb", "rwatb", "xatb", "rxatb", "wxatb", "rwxatb", "l", "rl", "wl", "rwl", "xl", "rxl", "wxl", "rwxl", "al", "ral", "wal", "rwal", "xal", "rxal", "wxal", "rwxal", "tl", "rtl", "wtl", "rwtl", "xtl", "rxtl", "wxtl", "rwxtl", "atl", "ratl", "watl", "rwatl", "xatl", "rxatl", "wxatl", "rwxatl", "bl", "rbl", "wbl", "rwbl", "xbl", "rxbl", "wxbl", "rwxbl", "abl", "rabl", "wabl", "rwabl", "xabl", "rxabl", "wxabl", "rwxabl", "tbl", "rtbl", "wtbl", "rwtbl", "xtbl", "rxtbl", "wxtbl", "rwxtbl", "atbl", "ratbl", "watbl", "rwatbl", "xatbl", "rxatbl", "wxatbl", "rwxatbl" 32 type smack_perm stringnoz[perm] 33 34 smackfs_access { 35 subject smack_labelnoz 36 sp0 const[' ', int8] 37 object smack_labelnoz 38 sp1 const[' ', int8] 39 access smack_perm 40 z const[0, int8] 41 } [packed] 42 43 smackfs_change_access { 44 subject smack_labelnoz 45 sp0 const[' ', int8] 46 object smack_labelnoz 47 sp1 const[' ', int8] 48 allow smack_perm 49 sp2 const[' ', int8] 50 deny smack_perm 51 z const[0, int8] 52 } [packed] 53 54 resource fd_smackfs_access[fd] 55 smackfs_access_files = "/sys/fs/smackfs/access", "/sys/fs/smackfs/access2" 56 openat$smackfs_access(fd const[AT_FDCWD], file ptr[in, string[smackfs_access_files]], flags const[O_RDWR], mode const[0]) fd_smackfs_access 57 write$smackfs_access(fd fd_smackfs_access, buf ptr[in, smackfs_access], count len[buf]) 58 read$smackfs_access(fd fd_smackfs_access, buf ptr[out, fmt[dec, intptr[0:1]]], count len[buf]) 59 60 # load, load2, load-self, load-self2 61 resource fd_smackfs_load[fd] 62 smackfs_load_files = "/sys/fs/smackfs/load", "/sys/fs/smackfs/load2", "/sys/fs/smackfs/load-self", "/sys/fs/smackfs/load-self2" 63 openat$smackfs_load(fd const[AT_FDCWD], file ptr[in, string[smackfs_load_files]], flags const[O_RDWR], mode const[0]) fd_smackfs_load 64 write$smackfs_load(fd fd_smackfs_load, buf ptr[in, smackfs_access], count len[buf]) 65 66 # ambient, unconfined, syslog, revoke-subject 67 resource fd_smackfs_label[fd] 68 openat$smackfs_ambient(fd const[AT_FDCWD], file ptr[in, string["/sys/fs/smackfs/ambient"]], flags const[O_RDWR], mode const[0]) fd_smackfs_label 69 openat$smackfs_unconfined(fd const[AT_FDCWD], file ptr[in, string["/sys/fs/smackfs/unconfined"]], flags const[O_RDWR], mode const[0]) fd_smackfs_label 70 openat$smackfs_revoke_subject(fd const[AT_FDCWD], file ptr[in, string["/sys/fs/smackfs/revoke-subject"]], flags const[O_RDWR], mode const[0]) fd_smackfs_label 71 openat$smackfs_syslog(fd const[AT_FDCWD], file ptr[in, string["/sys/fs/smackfs/syslog"]], flags const[O_RDWR], mode const[0]) fd_smackfs_label 72 write$smackfs_label(fd fd_smackfs_label, buf ptr[in, smack_label], count len[buf]) 73 74 resource fd_smackfs_change_rule[fd] 75 openat$smackfs_change_rule(fd const[AT_FDCWD], file ptr[in, string["/sys/fs/smackfs/change-rule"]], flags const[O_RDWR], mode const[0]) fd_smackfs_change_rule 76 write$smackfs_change_rule(fd fd_smackfs_change_rule, buf ptr[in, smackfs_change_access], count len[buf]) 77 78 smackfs_cipso_category { 79 cat fmt[dec, int8[0:SMACK_CIPSO_MAXCATNUM]] 80 sp const[' ', int8] 81 } 82 83 smackfs_cipso { 84 label smack_labelnoz 85 sp0 const[' ', int8] 86 # NEED: format specifiers with the given len ("%04d"). 87 # Kernel expects level to take exactly 4 (SMK_DIGITLEN) chars. 88 # This affects lots of other fmt's in this file too. 89 level fmt[dec, int8[0:SMACK_CIPSO_MAXLEVEL]] 90 sp1 const[' ', int8] 91 num fmt[dec, len[cats]] 92 sp2 const[' ', int8] 93 cats array[smackfs_cipso_category] 94 z const[0, int8] 95 } [packed] 96 97 resource fd_smackfs_cipso[fd] 98 smackfs_cipso_files = "/sys/fs/smackfs/cipso", "/sys/fs/smackfs/cipso2" 99 openat$smackfs_cipso(fd const[AT_FDCWD], file ptr[in, string[smackfs_cipso_files]], flags const[O_RDWR], mode const[0]) fd_smackfs_cipso 100 write$smackfs_cipso(fd fd_smackfs_cipso, buf ptr[in, smackfs_cipso], count len[buf]) 101 102 # direct, doi, mapped 103 resource fd_smackfs_cipsonum[fd] 104 smackfs_cipsonum_files = "/sys/fs/smackfs/direct", "/sys/fs/smackfs/doi", "/sys/fs/smackfs/mapped" 105 openat$smackfs_cipsonum(fd const[AT_FDCWD], file ptr[in, string[smackfs_cipsonum_files]], flags const[O_RDWR], mode const[0]) fd_smackfs_cipsonum 106 # It's ok to write number here without '\0' 107 write$smackfs_cipsonum(fd fd_smackfs_cipsonum, buf ptr[in, fmt[dec, intptr]], count len[buf]) 108 read$smackfs_cipsonum(fd fd_smackfs_cipsonum, buf ptr[out, fmt[dec, intptr]], count len[buf]) 109 110 smack_ipv6 { 111 d1 fmt[hex, int8] 112 sp1 const[':', int8] 113 d2 fmt[hex, int8] 114 sp2 const[':', int8] 115 d3 fmt[hex, int8] 116 sp3 const[':', int8] 117 d4 fmt[hex, int8] 118 sp4 const[':', int8] 119 d5 fmt[hex, int8] 120 sp5 const[':', int8] 121 d6 fmt[hex, int8] 122 sp6 const[':', int8] 123 d7 fmt[hex, int8] 124 sp7 const[':', int8] 125 d8 fmt[hex, int8] 126 } [packed] 127 128 smack_ipv6host_wo_mask { 129 ipv6 smack_ipv6 130 sp const[' ', int8] 131 label smack_labelnoz 132 z const[0, int8] 133 } [packed] 134 135 smack_ipv6host_w_mask { 136 ipv6 smack_ipv6 137 bs const['/', int8] 138 mask fmt[dec, int8] 139 sp const[' ', int8] 140 label smack_labelnoz 141 z const[0, int8] 142 } [packed] 143 144 smack_ipv6host [ 145 l1 smack_ipv6host_wo_mask 146 l2 smack_ipv6host_w_mask 147 ] [varlen] 148 149 resource fd_smackfs_ipv6host[fd] 150 openat$smackfs_ipv6host(fd const[AT_FDCWD], file ptr[in, string["/sys/fs/smackfs/ipv6host"]], flags const[O_RDWR], mode const[0]) fd_smackfs_ipv6host 151 write$smackfs_ipv6host(fd fd_smackfs_ipv6host, buf ptr[in, smack_ipv6host], count len[buf]) 152 153 smack_ipv4 { 154 d1 fmt[dec, int8] 155 sp1 const['.', int8] 156 d2 fmt[dec, int8] 157 sp2 const['.', int8] 158 d3 fmt[dec, int8] 159 sp3 const['.', int8] 160 d4 fmt[dec, int8] 161 sp4 const['.', int8] 162 } [packed] 163 164 smack_netlabel_wo_mask { 165 ipv4 smack_ipv4 166 sp const[' ', int8] 167 label smack_labelnoz 168 z const[0, int8] 169 } [packed] 170 171 smack_netlabel_w_mask { 172 ipv4 smack_ipv4 173 bs const['/', int8] 174 mask fmt[dec, int8] 175 sp const[' ', int8] 176 label smack_labelnoz 177 z const[0, int8] 178 } [packed] 179 180 smack_netlabel [ 181 l1 smack_netlabel_wo_mask 182 l2 smack_netlabel_w_mask 183 ] [varlen] 184 185 resource fd_smackfs_netlabel[fd] 186 openat$smackfs_netlabel(fd const[AT_FDCWD], file ptr[in, string["/sys/fs/smackfs/netlabel"]], flags const[O_RDWR], mode const[0]) fd_smackfs_netlabel 187 write$smackfs_netlabel(fd fd_smackfs_netlabel, buf ptr[in, smack_netlabel], count len[buf]) 188 189 resource fd_smackfs_logging[fd] 190 openat$smackfs_logging(fd const[AT_FDCWD], file ptr[in, string["/sys/fs/smackfs/logging"]], flags const[O_RDWR], mode const[0]) fd_smackfs_logging 191 # It's ok to write number here without '\0' 192 write$smackfs_logging(fd fd_smackfs_logging, buf ptr[in, fmt[dec, intptr[0:3]]], count len[buf]) 193 read$smackfs_logging(fd fd_smackfs_logging, buf ptr[out, fmt[dec, intptr[0:3]]], count len[buf]) 194 195 smackfs_labels_list_el { 196 label smack_labelnoz 197 sp const[' ', int8] 198 } [packed] 199 200 smackfs_labels_list { 201 labels array[smackfs_labels_list_el] 202 z const[0, int8] 203 } [packed] 204 205 resource fd_smackfs_labels_list[fd] 206 207 # onlycap changes global restrictive policy and may need to be disabled 208 # for more effective fuzzing 209 openat$smackfs_onlycap(fd const[AT_FDCWD], file ptr[in, string["/sys/fs/smackfs/onlycap"]], flags const[O_RDWR], mode const[0]) fd_smackfs_labels_list 210 openat$smackfs_relabel_self(fd const[AT_FDCWD], file ptr[in, string["/sys/fs/smackfs/relabel-self"]], flags const[O_RDWR], mode const[0]) fd_smackfs_labels_list 211 write$smackfs_labels_list(fd fd_smackfs_labels_list, buf ptr[in, smackfs_labels_list], count len[buf]) 212 213 resource fd_smackfs_ptrace[fd] 214 openat$smackfs_ptrace(fd const[AT_FDCWD], file ptr[in, string["/sys/fs/smackfs/ptrace"]], flags const[O_RDWR], mode const[0]) fd_smackfs_ptrace 215 # It's ok to write number here without '\0' 216 write$smackfs_ptrace(fd fd_smackfs_ptrace, buf ptr[in, fmt[dec, intptr[SMACK_PTRACE_DEFAULT:SMACK_PTRACE_MAX]]], count len[buf]) 217 read$smackfs_ptrace(fd fd_smackfs_ptrace, buf ptr[out, fmt[dec, intptr[SMACK_PTRACE_DEFAULT:SMACK_PTRACE_MAX]]], count len[buf])